Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Aviso de pago.pdf____________________________.exe


General Information

Sample Name:Aviso de pago.pdf____________________________.exe
Analysis ID:626184


Range:0 - 100


Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Snort IDS alert for network traffic
Initial sample is a PE file and has a suspicious name
Writes to foreign memory regions
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Yara detected Generic Downloader
.NET source code contains very large array initializations
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Tries to load missing DLLs
Binary contains a suspicious time stamp
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)


  • System is w10x64
  • Aviso de pago.pdf____________________________.exe (PID: 6232 cmdline: "C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exe" MD5: 05B6B97166B339557424CA035418A640)
    • cmd.exe (PID: 6360 cmdline: "C:\Windows\System32\cmd.exe" /c timeout 15 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 3024 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 5836 cmdline: timeout 15 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
    • MSBuild.exe (PID: 3272 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MD5: D621FD77BD585874F9686D3A76462EF1)
  • cleanup
{"Exfil Mode": "SMTP", "Username": "danny@permagraf.com.mx", "Password": "icui4cu2@@", "Host": "mail.permagraf.com.mx"}
00000000.00000002.480316793.0000000003980000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000000.00000002.480316793.0000000003980000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      0000000C.00000000.472348543.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        0000000C.00000000.472348543.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          0000000C.00000002.626727734.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 16 entries
            0.2.Aviso de pago.pdf____________________________.exe.39d0120.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              0.2.Aviso de pago.pdf____________________________.exe.39d0120.4.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                0.2.Aviso de pago.pdf____________________________.exe.39d0120.4.unpackMALWARE_Win_AgentTeslaV3AgentTeslaV3 infostealer payloadditekSHen
                • 0x2e6d4:$s1: get_kbok
                • 0x2f008:$s2: get_CHoo
                • 0x2fc63:$s3: set_passwordIsSet
                • 0x2e4d8:$s4: get_enableLog
                • 0x32b81:$s8: torbrowser
                • 0x3155d:$s10: logins
                • 0x30ed5:$s11: credential
                • 0x2d8c1:$g1: get_Clipboard
                • 0x2d8cf:$g2: get_Keyboard
                • 0x2d8dc:$g3: get_Password
                • 0x2eeb6:$g4: get_CtrlKeyDown
                • 0x2eec6:$g5: get_ShiftKeyDown
                • 0x2eed7:$g6: get_AltKeyDown
                12.0.MSBuild.exe.400000.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  12.0.MSBuild.exe.400000.1.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    Click to see the 26 entries
                    No Sigma rule has matched
                    Timestamp: 05/13/22-17:18:49.165848
                    Source Port:80
                    Destination Port:49763
                    Classtype:A Network Trojan was detected

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    Source: 12.0.MSBuild.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "danny@permagraf.com.mx", "Password": "icui4cu2@@", "Host": "mail.permagraf.com.mx"}
                    Source: Aviso de pago.pdf____________________________.exeReversingLabs: Detection: 24%
                    Source: URL Cloud: Label: malware
                    Source: URL Cloud: Label: malware
                    Source: URL Cloud: Label: malware
                    Source: Detection: 17%Perma Link
                    Source: Aviso de pago.pdf____________________________.exeJoe Sandbox ML: detected
                    Source: 12.0.MSBuild.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                    Source: 12.0.MSBuild.exe.400000.1.unpackAvira: Label: TR/Spy.Gen8
                    Source: 12.0.MSBuild.exe.400000.3.unpackAvira: Label: TR/Spy.Gen8
                    Source: 12.2.MSBuild.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                    Source: 12.0.MSBuild.exe.400000.2.unpackAvira: Label: TR/Spy.Gen8
                    Source: 12.0.MSBuild.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8